Summary of Features
- Event records are (draft)
POSIX-compliant and consist of a fixed structure representing attributes
of the event record, and a variable-length data buffer, containing the
- Supports logging of textual
strings and binary data and provides formatting templates for customized
formatting and displaying of event records.
- All events are written to
either the general event log, or to an optional private log, which has
more restrictive read access. Both logs are binary.
- Messages currently being
logged with printk() and syslog(), and handled by
the syslogd daemon, will also (optionally)
be logged into the new event log. When written to the new log, the
events will be written in a POSIX-compliant format and will contain
additional information which syslogd does not
log, including facility, severity, event type, user id, group id, process
id, process group id, thread id, and (in SMP systems) Processor id.
- In addition to the existing printk() and syslog() functions, new and more flexible
write functions are provided in both kernel and user-space.
- A facility registry, where
providers of event records can register new facilities that are uniquely
associated with their device driver, application program, etc. The
standard syslog facilities are also included in the facility
registry. The facility registry also provides facility-based logging
control (such as specifying where events
with a particular facility are written, the general event log or the
private event log).
- Users, or clients, that read
events from the event log for problem determination, system
administration, etc, are provided with 2 key capabilities:
- Ability to selectively
read only events from the log that matches a
- Ability to register
with an event notification server to be notified when events matching a
user-specified filter have been written to the event log and to also
specify what actions to take (function, command, or shell script to
execute) when notified.
- Extensive control and
management of events and the event logs, which includes:
- Configurable event buffer size
- Detection of event
buffer overrun conditions which causes events to be dropped (a
dropped-event count is logged)
- Optional discarding of
duplicate events (a discarded-event count is logged)
- Optional screening and
discarding of events which match System Admin specified criteria
- Utilities for
Remote event forwarding
feature that allows multiple hosts in the network to forward events via
UDP or TCP to a centralized "event consolidation" host. Logging of events locally on the source
hosts can optionally be disabled.
In addition to local logging
of events, and forwarding of events to a remote centralized host, a
plug-in architecture is provided which allows alternative "event
processors" to be easily added.
- Managing the size of
the log files
- Setting up automatic
removal of events that are no longer of interest, compacting and
truncating the log files, and reclaiming the space.